[106176] in North American Network Operators' Group
Re: SANS: DNS Bug Now Public?
daemon@ATHENA.MIT.EDU (Phil Regnauld)
Thu Jul 24 04:45:36 2008
Date: Thu, 24 Jul 2008 10:45:05 +0200
From: Phil Regnauld <regnauld@catpipe.net>
To: Joe Abley <jabley@ca.afilias.info>
In-Reply-To: <2A44845F-4D1F-47A8-B6F7-09B50C65C8B4@ca.afilias.info>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Joe Abley (jabley) writes:
>
> Having just seen some enterprise types spend time patching their
> nameservers, it's also perhaps worth spelling out that "patch" in this case
> might require more than upgrading resolver code -- it could also involve
> reconfigurations, upgrades or replacements of NAT boxes too. If your NAT
> reassigns source ports in a predictable fashion, then no amount of BIND9
> patching is going to help.
Case in point, we've got customers running around in circles
screaming "we need to upgrade, please help us upgrade NOW",
but they have _3_ layers of routers and firewalls that are hardcoded to
only allow DNS queries from port 53.
